I'm working on a program packed with ASPROTECT 1.23 RC4. Using the exceptions method by Ricardo Narvaja, I have found the following instructions, as OEP:

00509FE8 PUSH 0
PUSH 0
DEC ECX
JNZ 00509FE8

I can't find stollen bytes, and stepping over some instructions below, the program starts. Those instructions seem very strange! Or not? Do I need continue searching for OEP? Thanks

Where to download that progie?
Or send me via email.

the method put you ina first sentence executed of the original program not is the real OEP, look in the stack if you have a

RETURN TO ...... XXXXXX

if XXXXX is in the first section too you are in a CALL, mark this line in the stack and right click FOLLOW IN DISSASSEMBLER and go out of the call, posibly to the oep zone

Ricardo

Yes, I have, but a RETURN TO kernell.77E814C7. And nothing more. Any idea?

Well if you not have RETURNS to an code section in a stack, before

00509FE8 PUSH 0
PUSH 0
DEC ECX
JNZ 00509FE8

there are a space with zeros? (zone for stolen bytes)
And other thing the method of exceptions, you count the exceptions in the asprotect zone (not in others dll, or exe exceptions)
Ricardo

Yes, there is a space with zeros. So I think I have stolen bytes. The problem is the stolen bytes are trashed (I believ so). Is there any tutorial describing or commenting how to handle that? thanks

well there are many tutorials in my FTP but are all in spanish i think is better you go to rce forum and look for a tute in english, there are some tuts of asprotect with stolen bytes.
there are many methods for you obtain the stolen bytes, tracing the code before the oep, or comparing the stack of a program when start, against the stack of the program when stop in the oep.
If you wrote the values of the registers when the program start before unpacking and compare with the registers in the real OEP (not fake oep) are equals, for this reaso the diference in the fake oep, are made for rthe lines executed.

An example

if you in the star of the program have EBP=12ff00

and the stacks of the program when start is

0012FFC4 77E614C7 RETURN to kernel32.77E614C7
0012FFC8 77F417E6 RETURN to ntdll.77F417E6 from ntdll.77F68C4E
0012FFCC 77F41778 RETURN to ntdll.77F41778 from ntdll.77F417B5
0012FFD0 7FFDF000
0012FFD4 F9FB0CF0
0012FFD8 0012FFC8
0012FFDC 8053C88F
0012FFE0 FFFFFFFF End of SEH chain
0012FFE4 77E74809 SE handler
0012FFE8 77E71210 kernel32.77E71210

and the stack of the program in the fake oep is

0012ffc0 12ff00
0012FFC4 77E614C7 RETURN to kernel32.77E614C7
0012FFC8 77F417E6 RETURN to ntdll.77F417E6 from ntdll.77F68C4E
0012FFCC 77F41778 RETURN to ntdll.77F41778 from ntdll.77F417B5
0012FFD0 7FFDF000
0012FFD4 F9FB0CF0
0012FFD8 0012FFC8
0012FFDC 8053C88F
0012FFE0 FFFFFFFF End of SEH chain
0012FFE4 77E74809 SE handler
0012FFE8 77E71210 kernel32.77E71210

is obvious the first line executes was PUSH EBP the diference of the stacks is this value.

Generally you found 5 or 6 values, and if you analize the stack compare, you can found the lines executed easily

Ricardo




Ricardo

Thanks for your tipos. I speak spanish so, if you can, tell me your ftp address. Thanks again.

Bueno mi FTP es

ftp://curso:curso@ricnar456.no-ip.org/
("ftp://curso:curso@ricnar456.no-ip.org/
")


user:curso
pass:curso

carpeta NUEVO CURSO-TEORIAS

y como yo no se hablar ingles no se si se entendio algo de lo que explique antes pero la base es que en el OEP correcto y en el inicio del programa antes de arrancarlo los registros y el stack deben ser iguales, asi que cuando paras en el punto donde te deja el metodos de las excepciones, analizando las diferencias sacas las lineas que fueron ejecutadas.

Ricardo

Gracias, una vez más. Yo compreendo totalmente lo que dices. Voy a chequear tu ftp. ("ftp://ftp.")

Hi Ricardo!

Do you also have some lesson or tutorial in english? it would be nice to translate some of your work...

i have today 205 tutorials , but only 5 or 6 in english, (POINTH, ARMADILLO WITH COPYMEM2, WITHOUT COPYMEM2), nothing more.

Write tutorial is a hard work, investigate protections take a big time, and i don't speak english well for translate and have not time.

If you have time for translate do it, i put the english versions in my FTP.
("ftp://FTP.
")

Ricardo

Ricardo, I would be VERY happy to translate them for you, because I believe you are a pretty talented one, but unfortunately I can't speak Spanish!

sorry about that

take care

SNIF SNIF the where are bilingual crackers ? jeje

Ricardo